Wireshark检索语法
过滤IP地址
ip.addr eq 192.168.1.1
ip.addr == 192.168.1.1
//过滤源IP地址
ip.src eq 192.168.1.1
ip.src == 192.168.1.1
//过滤目的IP地址
ip.dst eq 192.168.1.1
ip.dst == 192.168.1.1
过滤端口
tcp.port eq 80 // 不管端口是来源的还是目标的都显示
tcp.port == 80
tcp.dstport == 80 // 只显tcp协议的目标端口80
tcp.srcport == 80 // 只显tcp协议的来源端口80
tcp.port >= 1 and tcp.port <= 80 //过滤端口范围
http模式过滤
http.request.method == “GET”
http.request.method == “POST”
http.request.uri == “/img/logo-edu.gif”
http contains “GET”
http contains “HTTP/1.”
// GET包
http.request.method == “GET” && http contains “Host: “
http.request.method == “GET” && http contains “User-Agent: “
// POST包
http.request.method == “POST” && http contains “Host: “
http.request.method == “POST” && http contains “User-Agent: “
// 响应包
http contains “HTTP/1.1 200 OK” && http contains “Content-Type: “
http contains “HTTP/1.0 200 OK” && http contains “Content-Type: “
一定包含如下
Content-Type:
字符串过滤
http contains”flag”
过滤协议
tcp
udp
arp
icmp
http
smtp
ftp
dns
msnms
ip
ssl
oicq
bootp
排除过滤的包!,not
!arp
not arp //排除arp包,
过滤MAC
eth.dst == A0:00:00:04:C5:84 // 过滤目标mac
eth.src eq A0:00:00:04:C5:84 // 过滤来源mac
eth.addr eq A0:00:00:04:C5:84 // 过滤来源MAC和目标MAC都等于A0:00:00:04:C5:84的
运算符
less than 小于 < lt
小于等于 le
等于 eq
大于 gt
大于等于 ge
不等 ne
包过滤长度
udp.length == 26 这个长度是指udp本身固定长度8加上udp下面那块数据包之和
tcp.len >= 7 指的是ip数据包(tcp下面那块数据),不包括tcp本身
ip.len == 94 除了以太网头固定长度14,其它都算是ip.len,即从ip本身到最后
frame.len == 119 整个数据包长度,从eth开始到最后
Wireshark功能选项
统计——>流量图
statistics——>Flow Graph
字符串查找
ctrl+f
